Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2226
Views
25
Helpful
9
Replies

Posture Module stalling after doing an initial scan.

Anthony O'Reilly
Level 3
Level 3

‎05-27-2022 07:04 AM - edited ‎05-27-2022 07:28 AM

Hello,

 

I have a customer who has a two-node physical deployment (Version 3.0 Patch 5). The have Wireless NAC with Posturing checking for 3 requirements.

 

This worked perfectly for the majority of users. Lately a lot of users are noticing that after the initial scans, the AnyConnect client (4.8) stalls and then go to search for policy server. See the log from this morning.

 

     07:04:12    Ready

     07:04:12    Initializing.

     07:04:12    Scanning system ...

     07:05:02    Checking requirement 1 of 3.

     07:05:02    Checking requirement 2 of 3.

     07:05:26    Checking requirement 3 of 3.

     07:16:59    Searching for policy server.

     07:17:18    Searching for policy server.

     07:17:18    Limited or no connectivity.

     07:17:21    Searching for policy server.

     07:17:23    Checking for product updates...

     07:17:23    The AnyConnect Downloader is performing update checks...

     07:17:23    Checking for profile updates...

     07:17:23    Checking for product updates...

     07:17:23    Checking for customization updates...

     07:17:23    Performing any required updates...

     07:17:23    The AnyConnect Downloader updates have been completed.

     07:17:24    Update complete.

     07:17:24    Scanning system ...

     07:17:29    Searching for policy server.

     07:17:29    Checking for product updates...

     07:17:29    The AnyConnect Downloader is performing update checks...

     07:17:29    Checking for profile updates...

     07:17:29    Checking for product updates...

     07:17:29    Checking for customization updates...

     07:17:29    Performing any required updates...

     07:17:29    The AnyConnect Downloader updates have been completed.

     07:17:30    Update complete.

     07:17:30    Checking for product updates...

     07:17:30    The AnyConnect Downloader is performing update checks...

     07:17:30    Checking for profile updates...

     07:17:30    Checking for product updates...

     07:17:30    Checking for customization updates...

     07:17:30    Performing any required updates...

     07:17:30    The AnyConnect Downloader updates have been completed.

     07:17:30    Update complete.

     07:17:31    Scanning system ...

     07:17:35    Checking requirement 1 of 3.

     07:17:35    Checking requirement 2 of 3.

     07:17:39    Checking requirement 3 of 3.

     07:21:53    Updating network settings ...

     07:22:08    Compliant.

 

The AnyConnect Compliance module version is: 4.3.2549.6145

 

I have the event logs for two users, one where they have no issues and one for the issues that is happening above.

 

There are some entries that I am interested in:

 

The description for Event ID 259 from source nacapi cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.

If the event originated on another computer, the display information had to be saved with the event.

The following information was included with the event:

Function: CNacApiShim::StatusNotification
Thread Id: 0x397C
File: c:\temp\build\thehoff\negasonic_mr30.550195061902\negasonic_mr3\posture\ise\nacshim\nacshim.cpp
Line: 232
Level: error

StatusNotification invalid state

 

 

The description for Event ID 259 from source elaciseposture cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.

If the event originated on another computer, the display information had to be saved with the event.

The following information was included with the event:

Function: COpswatV4Plugin::invokeMethod
Thread Id: 0xD44
File: c:\temp\build\thehoff\negasonic_mr30.550195061902\negasonic_mr3\posture\ise\libopswat\opswatv4plugin.cpp
Line: 888
Level: error

Opswat returned error: -17 and converted to: 1

 

 

The description for Event ID 259 from source elaciseposture cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.

If the event originated on another computer, the display information had to be saved with the event.

The following information was included with the event:

Function: COpswatV4Plugin::GetMissingPatches
Thread Id: 0xD44
File: c:\temp\build\thehoff\negasonic_mr30.550195061902\negasonic_mr3\posture\ise\libopswat\opswatv4plugin.cpp
Line: 410
Level: error

Failed in condition: opSuccess != status

 

 

The description for Event ID 259 from source aciseagent cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.

If the event originated on another computer, the display information had to be saved with the event.

The following information was included with the event:

Function: SMNavPosture::SMP_parsePkt
Thread Id: 0x1FA8
File: c:\temp\build\thehoff\negasonic_mr30.550195061902\negasonic_mr3\posture\ise\posture_sm\smnavposture.cpp
Line: 470
Level: error

Failed to parse posture data

 

The description for Event ID 259 from source elaciseposture cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.

If the event originated on another computer, the display information had to be saved with the event.

The following information was included with the event:

Function: COpswat::getMissingPatches
Thread Id: 0xD44
File: c:\temp\build\thehoff\negasonic_mr30.550195061902\negasonic_mr3\posture\ise\libopswat\libopswat.cpp
Line: 586
Level: error

Error in getting missing patches for product Windows Update Agent. Status : <General Error>

 

 

The description for Event ID 259 from source aciseagent cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.

If the event originated on another computer, the display information had to be saved with the event.

The following information was included with the event:

Function: GetCurrentUserName
Thread Id: 0x1FA8
File: c:\temp\build\thehoff\negasonic_mr30.550195061902\negasonic_mr3\posture\ise\libcommoncpp\impersonateuser.cpp
Line: 34
Level: error

Failed to find an active session.
The description for Event ID 259 from source aciseagent cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.

If the event originated on another computer, the display information had to be saved with the event.

The following information was included with the event:

Function: GetCurrentUserName
Thread Id: 0x1FA8
File: c:\temp\build\thehoff\negasonic_mr30.550195061902\negasonic_mr3\posture\ise\libcommoncpp\impersonateuser.cpp
Line: 37
Level: error

Failed to find session after enumerating each session.

 

Failed to find session after enumerating each session.
The description for Event ID 259 from source aciseagent cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.

If the event originated on another computer, the display information had to be saved with the event.

The following information was included with the event:

Function: ping_send
Thread Id: 0x1FA8
File: c:\temp\build\thehoff\negasonic_mr30.550195061902\negasonic_mr3\posture\ise\libvmon\ping.c
Line: 196
Level: error

socket_send error -3

 

 

The description for Event ID 259 from source aciseagent cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.

If the event originated on another computer, the display information had to be saved with the event.

The following information was included with the event:

Function: terminate_posture
Thread Id: 0x1FA8
File: c:\temp\build\thehoff\negasonic_mr30.550195061902\negasonic_mr3\posture\ise\module\launchposture.cpp
Line: 298
Level: error

Terminating posture process (20956)

 

 

The users behaviours in the morning is that when he arrives in the office, his laptop is powered down. He powers the laptop up, logs in and has to wait about 20 minutes to become complaint.

 

For me the question is why does Anyconnect not after the initialization phase @ 07:04:12 , check for updates (Anyconnect Downloader) , it goes straight to Scanning.

 

After the reconnect 07:17:18 the Anyconnect Downloader performs checks (Multi cycles) with scanning happening @ 07:17:31 after update completes.

 

So something needed updating that did not happen on the initial session attempt.

 

The user that has no issues he go straight to Anyconnect Downloader performing checks after initializing phase (1 cycle), then into Scanning phase.

 

It looks to me that any time we don’t get update checks we are likely to have connection issues. It would be good to get a definitive on what is the expected behaviour here.

 

If the user reboots their laptop, posturing will be successful on the first attempt.

 

Any ideas on what I could check or do next?

Thanks

Anthony.

0 Helpful
9 Replies 9

ahollifield
VIP
VIP

‎05-27-2022 04:43 PM

Windows version?  I would also suggest upgrading to AnyConnect 4.10 and the latest version of the compliance module.  

Anthony O'Reilly
Level 3
Level 3
In response to ahollifield

‎05-28-2022 01:52 AM

OS is Windows 10

AnyConnect is 4.8.03036

 

The customer has a roadmap to go to 4.10.

0 Helpful

Marcelo Morais
VIP
VIP
In response to Anthony O'Reilly

‎05-29-2022 07:21 AM

Hi @Anthony O'Reilly ,

1st: looking at ISE 3.0 Network Component Compatibility, search for Table 11. Microsoft Windows, AnyConnect 4.8.01090 or later, in other words, your are good (no doubt that 4.10 is better).

2nd: you are "loosing" almost 16 min in these events:

07:05:26 Checking requirement 3 of 3.
07:16:59 Searching for policy server.

and

07:17:39 Checking requirement 3 of 3.
07:21:53 Updating network settings ...

Please double check if your Windows Native Supplicant is disabled.

 

Hope this helps !!!

Anthony O'Reilly
Level 3
Level 3
In response to Marcelo Morais

‎05-30-2022 06:11 AM

Hi @Marcelo Morais 

 

When you say "Please double check if your Windows Native Supplicant is disabled" 

 

Do you mean that the WLAN auto-config service has been started?

 

Thanks

Anthony.

0 Helpful

thomas
Cisco Employee
Cisco Employee
In response to Anthony O'Reilly

‎05-30-2022 06:19 AM

Windows has 2 native supplicants : 1 for wireless (enabled by default) and 1 for wired (disabled by default).

It is a good idea to enable both when doing network access control with 802.1X.

image.png

Anthony O'Reilly
Level 3
Level 3
In response to thomas

‎05-30-2022 06:21 AM

Hi all,

 

I can confirm that both of these services are started and running. Set to automatically start.

 

Thanks

Anthony.

0 Helpful

thomas
Cisco Employee
Cisco Employee

‎05-30-2022 06:57 AM

Probably another good troubleshooting case for TAC.

0 Helpful

hslai
Cisco Employee
Cisco Employee

‎05-31-2022 05:22 PM

Anthony: I have to agree with Thomas. Please send the AnyConnect support bundle (DART) file to TAC for analysis. I have no clue from the few log entries you included above.

Anthony O'Reilly
Level 3
Level 3
In response to hslai

‎06-01-2022 12:48 AM

Hi all,
Thanks for your comments. I have logged a case with TAC and I will let you know what the root cause and resolution is.
Thanks
Anthony.
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents